ISO/IEC 27001 Control 6.4: Disciplinary process

A disciplinary process should be formalized and communicated to take actions against personnel and other relevant interested parties who have committed an information security policy violation.

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

MidPoint can be used as a tool to easily reduce access rights of users that violate the policy.

In midPoint, access is granted to users using assignments, usually role assignments. The assignment contains an activation part, which can be used to control validity of the assignment. For disciplinary actions, assignment activation can be used to temporarily disable the assignment, revoking access rights from users that violated the policies. The assignment stays in place, therefore the access can be easily restored for the user when the disciplinary action is over. Moreover, the activation mechanism allows to set up revocation of access rights for a specific period, after which access rights are automatically restored. Object marks can be used to mark users that are investigated, or users that are subject to disciplinary action, which is also recorded in audit trail. Policy rules can be used to support the disciplinary actions. Reporting mechanism can be used to report such users. In extreme cases, the identity lifecycle can be used to temporarily disable all access of a specific user, using the "suspended" lifecycle state.

MidPoint has supporting functionality to apply consequences of disciplinary processes to access management.